server {
  listen 80;
  listen [::]:80;
  server_name gnusocial.example;
  rewrite ^ https://$server_name$request_uri? permanent;
}

server {
  listen 443 ssl;
  server_name gnusocial.example;

  # Security
  ssl on;
  ssl_certificate /etc/ssl/certs/gnusocial.example.pem;
  ssl_certificate_key /etc/ssl/private/gnusocial.example.key;
  ssl_dhparam /etc/ssl/certs/gnusocial.example.dhparam;

  ssl_session_timeout 60m;
  ssl_prefer_server_ciphers on;
  ssl_session_cache  builtin:1000  shared:SSL:10m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
  ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  add_header Strict-Transport-Security max-age=15768000;

  # Logs
  access_log off;
  error_log off;

  # Root
  root /etc/share/gnusocial;

  # Index
  index index.php;

  # PHP
  location ~ \.php {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
  }

  # Location
  location / {
    try_files $uri $uri/ @gnusocial;
  }

  # Fancy URLs
  location @gnusocial {
    rewrite ^(.*)$ /index.php?p=$1 last;
  }

  # Restrict access that is unnecessary anyway
  location ~ /\.(ht|git) {
    deny all;
  }

  client_max_body_size 15m;
}


server {
    listen 127.0.0.1:8087 default_server;
    server_name gnusocial.example;

  # Logs
  access_log off;
  error_log off;

  # Root
  root /etc/share/gnusocial;

  # Index
  index index.php;

  # PHP
  location ~ \.php {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
  }

  # Location
  location / {
    try_files $uri $uri/ @gnusocial;
  }

  # Fancy URLs
  location @gnusocial {
    rewrite ^(.*)$ /index.php?p=$1 last;
  }

  # Restrict access that is unnecessary anyway
  location ~ /\.(ht|git) {
    deny all;
  }

  client_max_body_size 15m;
}
